COMMAND

    Cisco

SYSTEMS AFFECTED

    Cisco

PROBLEM

    Following  is  based  on  a  Cisco  Security  Advisory.  Cisco IOS
    software contains  a flaw  that permits  the successful prediction
    of TCP Initial  Sequence Numbers.   This vulnerability is  present
    in all released  versions of Cisco  IOS software running  on Cisco
    routers  and  switches.   It  only  affects  the  security  of TCP
    connections  that  originate  or  terminate  on the affected Cisco
    device itself; it does not apply to TCP traffic forwarded  through
    the affected device in transit between two other hosts.  To remove
    the vulnerability,  Cisco is  offering free  software upgrades for
    all affected platforms.   The defect is  described in DDTS  record
    CSCds04747.

    The vulnerability  is present  in all  Cisco routers  and switches
    running affected releases of Cisco IOS Software.

    To provide  reliable delivery  in the  Internet, the  Transmission
    Control Protocol  (TCP) makes  use of  a sequence  number in  each
    packet to provide  orderly reassembly of  data after arrival,  and
    to notify the sending host  of the successful arrival of  the data
    in each packet.  TCP  sequence numbers are 32-bit integers  in the
    circular range of  0 to 4,294,967,295.   The host devices  at both
    ends  of  a  TCP  connection  exchange  an Initial Sequence Number
    (ISN) selected at random from that  range as part of the setup  of
    a new TCP connection.   After the session is established  and data
    transfer begins,  the sequence  number is  regularly augmented  by
    the number  of octets  transferred, and  transmitted to  the other
    host.  To prevent the receipt and reassembly of duplicate or  late
    packets in a TCP stream,  each host maintains a "window",  a range
    of values  close to  the expected  sequence number,  in which  the
    sequence number in  an arriving packet  must fall if  it is to  be
    accepted.  Assuming a packet  arrives with the correct source  and
    destination  IP  addresses,  source  and destination port numbers,
    and a sequence number  within the allowable window,  the receiving
    host will accept the packet as genuine.

    This method provides reasonably good protection against accidental
    receipt of unintended data.   However, to guard against  malicious
    use,  it  should  not  be  possible  for  an  attacker  to infer a
    particular number in the sequence.  If the initial sequence number
    is not  chosen randomly  or if  it is  incremented in a non-random
    manner  between  the  initialization  of  subsequent TCP sessions,
    then it  is possible,  with varying  degrees of  success, to forge
    one half of a  TCP connection with another  host in order to  gain
    access to that host, or hijack an existing connection between  two
    hosts in order to compromise  the contents of the TCP  connection.
    To guard  against such  compromises, ISNs  should be  generated as
    randomly as possible.

    This defect, documented as DDTS CSCds04747, has been corrected  by
    providing an improved method  for generating TCP Initial  Sequence
    Numbers.

    Forged packets  can be  injected into  a network  from a  location
    outside its boundary so that they are trusted as authentic by  the
    receiving host, thus  resulting in a  failure of integrity.   Such
    packets  could  be  crafted  to  gain  access  or  make some other
    modification  to  the  receiving  system  in  order to attain some
    goal, such as gaining unauthorized interactive access to a  system
    or compromising stored data.

    From  a  position  within  the  network  where  it  is possible to
    receive  the  return  traffic  (but  not necessarily in a position
    that  is  directly  in  the  traffic  path),  a  greater  range of
    violations is possible.   For example, the  contents of a  message
    could  be  diverted,  modified,  and  then returned to the traffic
    flow again, causing a failure of integrity and a possible  failure
    of confidentiality.

    Any compromise using this  vulnerability is only possible  for TCP
    sessions that originate or terminate on the affected Cisco  device
    itself.  It does not apply to TCP traffic that is merely forwarded
    through the device.

SOLUTION

    The following table summarizes the IOS software releases that  are
    known  to  be  affected,  and  the  earliest  estimated  dates  of
    availability  for  the  recommended  fixed  versions.   Dates  are
    always tentative and subject to change.

    +===========================================================================+
       Train     Description of         Availability of Fixed Releases*
                Image or Platform
    +===========================================================================+
         11.0-based Releases          Rebuild      Interim**    Maintenance
    +===========================================================================+
                                  11.0(22a)
        11.0    Major GD release
                for all platforms 2001-Mar-08
    +===========================================================================+
         11.1-based Releases          Rebuild      Interim**    Maintenance
    +===========================================================================+
                                  11.1(24a)
        11.1    Major release for
                all platforms     2001-Mar-08
    +----------+-----------------+---------------+-----------+------------------+
                ED release for    Unavailable
       11.1AA   access servers:   Upgrade recommended to 12.1(7), available
                1600, 3200, and
                5200 series.      2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Platform-specific 11.1(36)CA1
       11.1CA   support for 7500,
                7200, 7000, and
                RSP               2001-Mar-02
    +----------+-----------------+---------------+-----------+------------------+
                ISP train: added
                support for FIB,  11.1(36)CC1
       11.1CC   CEF, and NetFlow
                on 7500, 7200,    2001-Mar-02
                7000, and RSP
    +----------+-----------------+---------------+-----------+------------------+
                Added support for 12.0(11)ST2
       11.1CT   Tag Switching on
                7500, 7200, 7000,
                and RSP           2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                                  11.1(28a)IA1
       11.1IA   Distributed
                Director only     2001-Feb-26
    +===========================================================================+
         11.2-based Releases          Rebuild      Interim**    Maintenance
    +===========================================================================+
                Major release,    11.2(25a)                   11.2(25)
        11.2    general
                deployment        2001-Mar-05                 Available
    +----------+-----------------+---------------+-----------+------------------+
                Platform-specific Unavailable
                support for IBM
       11.2BC   networking, CIP,
                and TN3270 on     Upgrade recommended to 12.1(7), available
                7500, 7000, and   2001-Feb-26
                RSP
    +----------+-----------------+---------------+-----------+------------------+
                                  Unavailable
       11.2F    Feature train for
                all platforms     Upgrade recommended
    +----------+-----------------+---------------+-----------+------------------+
                Early deployment  Unavailable
       11.2GS   release to        Upgrade recommended to 12.0(15)S1,
                support 12000 GSR available 2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                                  11.2(25a)P                  11.2(25)P
       11.2P    New platform
                support           2001-Mar-05                 Available
    +----------+-----------------+---------------+-----------+------------------+
                                  Unavailable
       11.2SA   Catalyst 2900XL   Upgrade recommended to 12.1WC, available
                switch only
                                  2001-Apr-12
    +----------+-----------------+---------------+-----------+------------------+
                                  Unavailable
      11.2WA3   LightStream 1010  Upgrade recommended to 12.0(10)W5(20,
                ATM switch
                                  available 2001-Feb-28
    +----------+-----------------+---------------+-----------+------------------+
                Initial release   11.2(25a)P                  11.2(25)P
     11.2(4)XA  for the 1600 and
                3600              2001-Mar-05                 Available
    +----------+-----------------+---------------+-----------+------------------+
                Initial release
                for the 5300 and  11.2(25a)P                  11.2(25)P
     11.2(9)XA  digital modem
                support for the   2001-Mar-05                 Available
                3600
    +===========================================================================+
         11.3-based Releases          Rebuild      Interim**    Maintenance
    +===========================================================================+
                                  11.3(11b)
        11.3    Major release for
                all platforms     2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                ED for dial
                platforms and     11.3(11a)AA
       11.3AA   access servers:
                5800, 5200, 5300, 2001-Mar-05
                7200
    +----------+-----------------+---------------+-----------+------------------+
                Early deployment  Unavailable
       11.3DA   train for ISP     Upgrade recommended to 12.1(5)DA1,
                DSLAM 6200
                platform          available 2001-Mar-19
    +----------+-----------------+---------------+-----------+------------------+
                Early deployment
                train for         Unavailable
                ISP/Telco/PTT
       11.3DB   xDSL broadband
                concentrator      Upgrade recommended to 12.1(4)DB1,
                platform, (NRP)   available 2001-Feb-28
                for 6400
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived ED
       11.3HA   release for ISR   Vulnerable
                3300 (SONET/SDH
                router)
    +----------+-----------------+---------------+-----------+------------------+
                MC3810            11.3(1)MA8
       11.3MA   functionality
                only              2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Voice over IP,    Unavailable
       11.3NA   media             Upgrade recommended to 12.1(7), available
                convergence,
                various platforms 2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Early deployment  11.3(11b)T1
       11.3T    major release,
                feature-rich for
                early adopters    2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Multilayer
                Switching and     Unavailable
                Multiprotocol
                over ATM
      11.3WA4   functionality for
                Catalyst 5000     Upgrade recommended to 12.0(14)W5(20),
                RSM, 4500, 4700,  available 2001-Feb-28
                7200, 7500,
                LightStream 1010
    +----------+-----------------+---------------+-----------+------------------+
                                  11.3(11b)T1
     11.3(2)XA  Introduction of
                ubr7246 and 2600  2001-Mar-05
    +===========================================================================+
         12.0-based Releases          Rebuild      Interim**    Maintenance
    +===========================================================================+
                General                                       12.0(15)
        12.0    deployment
                release for all
                platforms                                     Available
    +----------+-----------------+---------------+-----------+------------------+
                                  Unavailable
       12.0DA   xDSL support:     Upgrade recommended to 12.1(5)DA1,
                6100, 6200
                                  available 2001-Mar-19
    +----------+-----------------+---------------+-----------+------------------+
                General           Unavailable
       12.0DB   deployment        Upgrade recommended to 12.1(4)DB1,
                release for all
                platforms         available 2001-Feb-28
    +----------+-----------------+---------------+-----------+------------------+
                General           Unavailable
       12.0DC   deployment        Upgrade recommended to 12.1(4)DC2,
                release for all
                platforms         available 2001-Feb-28
    +----------+-----------------+---------------+-----------+------------------+
                                  12.0(14)S1      12.0(14.6)S
       12.0S    Core/ISP support:
                GSR, RSP, c7200   Available       Available
    +----------+-----------------+---------------+-----------+------------------+
                                  12.0(15)SC1
       12.0SC   Cable/broadband
                ISP: ubr7200      2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                                  12.0(14)SL1
       12.0SL   10000 ESR: c10k
                                  2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                General           12.0(11)ST2
       12.0ST   deployment
                release for all
                platforms         2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                                  12.0(5c)E8
       12.0SX   Early Deployment
                (ED)              2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Early             Unavailable
                Deployment(ED):
       12.0T    VPN, Distributed
                Director, various Upgrade recommended to 12.1(7), available
                platforms         2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Catalyst
                switches:
                cat8510c,                                     12.0(14)W5(20)
                cat8540c, c6msm,
                ls1010, cat8510m,
       12.0W5   cat8540m, c5atm,
                c5atm, c3620,
                c3640, c4500,
                c5rsfc, c5rsm,                                2001-Feb-28
                c7200, rsp,
                cat2948g, cat4232
    +----------+-----------------+---------------+-----------+------------------+
                General           12.0(13)WT6(1)
       12.0WT   deployment
                release for all
                platforms         2001-Feb-20
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  Unavailable
       12.0XA   (ED): limited     Upgrade recommended to 12.1(7), available
                platforms         2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early Unavailable
       12.0XB   deployment        Upgrade recommended to 12.1(7), available
                release           2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  Unavailable
       12.0XC   (ED): limited     Upgrade recommended to 12.1(7), available
                platforms         2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  Unavailable
       12.0XD   (ED): limited     Upgrade recommended to 12.1(7), available
                platforms         2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  Unavailable
       12.0XE   (ED): limited     Upgrade recommended to 12.1(5)E8,
                platforms         available 2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  Unavailable
       12.0XF   (ED): limited     Upgrade recommended to 12.1(7), available
                platforms         2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  Unavailable
       12.0XG   (ED): limited     Upgrade recommended to 12.1(7), available
                platforms         2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.0(4)XH5
       12.0XH   (ED): limited
                platforms         2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  Unavailable
       12.0XI   (ED): limited     Upgrade recommended to 12.1(7), available
                platforms         2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  Unavailable
       12.0XJ   (ED): limited     Upgrade recommended to 12.1(7), available
                platforms         2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.0(7)XK4
       12.0XK   (ED): limited
                platforms         2001-Mar-19
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.0(4)XH5
       12.0XL   (ED): limited                                 12.1(7)
                platforms         2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early 12.0(5)XM1
       12.0XM   deployment
                release           2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment
       12.0XN   (ED): limited
                platforms
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  Unavailable
       12.0XP   (ED): limited     Upgrade recommended to 12.1WC, available
                platforms         2001-Apr-12
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early Unavailable
       12.0XQ   deployment        Upgrade recommended to 12.1(7), available
                release           2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early Unavailable
       12.0XR   deployment        Upgrade recommended to 12.1(5)T5,
                release           available 2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early Unavailable
       12.0XS   deployment        Upgrade recommended to 12.1(5)E8,
                release           available 2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  Unavailable
       12.0XU   (ED): limited     Upgrade recommended to 12.1WC, available
                platforms         2001-Apr-12
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early Unavailable
       12.0XV   deployment        Upgrade recommended to 12.1(5)T5,
                release           available 2001-Mar-05
    +===========================================================================+
         12.1-based and Later
               Releases               Rebuild      Interim**    Maintenance
    +===========================================================================+
                General                                       12.1(7)
        12.1    deployment
                release for all
                platforms                                     Available
    +----------+-----------------+---------------+-----------+------------------+
                                                              12.1(7)AA
       12.1AA   Dial support
                                                              2001-Mar-12
    +----------+-----------------+---------------+-----------+------------------+
                                  12.1(5)DA1                  12.1(6)DA
       12.1DA   xDSL support:
                6100, 6200        2001-Feb-28                 Available
    +----------+-----------------+---------------+-----------+------------------+
                                                              12.1(4)CX
       12.1CX   Core/ISP support:
                GSR, RSP, c7200                               2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                General           12.1(4)DB1
       12.1DB   deployment
                release for all
                platforms         2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                General           12.1(4)DC2
       12.1DC   deployment
                release for all
                platforms         2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                                  12.1(5c)E8      12.1(5.6)E
       12.1E    Core/ISP support:
                GSR, RSP, c7200   2001-Mar-5
    +----------+-----------------+---------------+-----------+------------------+
                                  12.1(5)EC1      12.1(4.5)EC
       12.1EC   Core/ISP support:
                GSR, RSP, c7200   2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                                  12.1(5c)EX
       12.1EX   Core/ISP support:
                GSR, RSP, c7200   2001-Mar-5
    +----------+-----------------+---------------+-----------+------------------+
                Early
                Deployment(ED):   12.1(5)T5
       12.1T    VPN, Distributed
                Director, various 2001-Mar-05
                platforms
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.1(5)T5
       12.1XA   (ED): limited
                platforms         2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.1(5)T5
       12.1XB   (ED): limited
                platforms         2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.1(5)T5
       12.1XC   (ED): limited
                platforms         2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.1(5)T5
       12.1XD   (ED): limited
                platforms         2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.1(5)T5
       12.1XE   (ED): limited
                platforms         2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.1(2)XF3
       12.1XF   (ED): 811 and 813
                (c800 images)     2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.1(3)XG3
       12.1XG   (ED): 800, 805,
                820, and 1600     Available
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.1(2)XH1
       12.1XH   (ED): limited
                platforms         2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.1(3)XI6
       12.1XI   (ED): limited
                platforms         2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment                              Indeterminate
       12.1XJ   (ED): limited
                platforms                                     Unscheduled
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.1(5)T5
       12.1XK   (ED): limited
                platforms         2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.1(3)XL1
       12.1XL   (ED): limited
                platforms         2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early 12.1(5)XM1
       12.1XM   deployment
                release           2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.1(3)XP3
       12.1XP   (ED): 1700 and
                SOHO              2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early 12.1(3)XQ1
       12.1XQ   deployment
                release           2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early 12.1(5)XR1
       12.1XR   deployment
                release           2001-Feb-20
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early                             12.1(5)XS
       12.1XS   deployment
                release                                       2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                                  12.1(3)XT1
       12.1XT   Early Deployment
                (ED): 1700 series Available
    +----------+-----------------+---------------+-----------+------------------+
                Early Deployment  12.1(5)XU1
       12.1XU   (ED): limited
                platforms         2001-Feb-15
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early 12.1(5)XV1
       12.1XV   deployment
                release           2001-Mar-05
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early 12.1(5)XW2
       12.1XW   deployment
                release           2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early 12.1(5)XX3
       12.1XX   deployment
                release           2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early 12.1(5)XY4
       12.1XY   deployment
                release           2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early 12.1(5)XZ2
       12.1XZ   deployment
                release           2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early 12.1(5)YA1
       12.1YA   deployment
                release           2001-Feb-28
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early                             12.1(5)YB
       12.1YB   deployment
                release                                       2001-Feb-13
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early 12.1(5)YC1
       12.1YC   deployment
                release           2001-Feb-26
    +----------+-----------------+---------------+-----------+------------------+
                Short-lived early                             12.1(5)YD
       12.1YD   deployment
                release                                       2001-Mar-12
    +===========================================================================+
                                      Notes
    +===========================================================================+
     * All dates are estimated and subject to change.
    
     ** Interim releases are subjected to less rigorous testing than regular
     maintenance releases, and may have serious bugs.
    +===========================================================================+

    There is no specific  configurable workaround to directly  address
    the possibility of predicting a  TCP Initial Sequence Number.   To
    prevent  malicious  use  of  this  vulnerability  from  inside the
    network,  ensure  that  transport  that  makes  interception   and
    modification detectable, if not altogether preventable, is in  use
    as appropriate.  Examples include using IPSEC or SSH to the  Cisco
    device for interactive session, MD5 authentication to protect  BGP
    sessions, strong authentication for access control, and so on.

    Malicious use of  this vulnerability from  a position outside  the
    administrative boundaries of the network can be mitigated, if  not
    prevented entirely, by using  access control lists to  prevent the
    injection  of  packets  with  forged  source  or  destination   IP
    addresses.